So I just finished the Phishing Analysis domain in preparation for the Blue Team Level 1 certification. For those of you who do not know, BTL 1 was created by Security Blue Team a UK Company. It is the first Practical Defensive Cybersecurity Training that culminates in a 24 hour Incident Response Certification Exam. It is newer than a lot of other Cybersecurity certs, but it is already highly regarded among many Cybersecurity professionals due to its rigor and ability to prepare persons for Security Analyst roles.
Here's the link to check it out if you'd like: https://securityblue.team
Now back to the topic. Yesterday, I received a Phishing Email in my inbox. In this blog post I will be applying all the skills that I have acquired in the Phishing Analysis domain to investigate and report on the Phishing attack on my personal account.
The image below shows the e-mail that was received. It is a suspicious e-mail appearing to be from Apple. It has very similar styling to Apple emails and it states that the recipient’s Apple ID has been locked and that the user needs to click on the button to verify their account and regain access to their Apple account.
Now to briefly summarize how I went about conducting this investigation I did the following:
Retrieved the e-mail.
Collected all relevant artifacts (e-mail and web artifacts).
Analyzed and investigated the artifacts.
Took defensive measures.
Retrieving the email
On my MacBook, I did not have the Outlook desktop client installed, so I sent the e-mail to myself and downloaded the .eml file (this is a common extension for saved e-mails). As a result, I was able to retrieve and open the suspected phishing e-mail with my Thunderbird e-mail application. It is best practice that the e-mail be retrieved and open in a secured Virtual Machine or on a system that does not contain sensitive data.
Collecting E-mail and Web artifacts
I was quickly able to gather some of the artifacts from just looking at the e-mail. These were as follows:
Sender:
szv26tfa3z@tcfbakn.com
Subject Line:
Re: Your Apple ID has been locked on Saturday, May, 28 2022 [ref:_582734]
Recipient:
no_reply@email.apple.com
Date and Time:
5/28/22, 12:55 PM
The other artifacts that I needed to retrieve to properly conduct the analysis were the IP address of the sending server, reverse DNS of the Sending Server, and any web artifacts such as the URL to which the button leads. I needed to use a text editor to retrieve this information so I used sublime text. I was quickly able to retrieve the sending server Ip by searching the document for 'X-Sender-IP'. I then used MXToolBox (https://mxtoolbox.com/ReverseLookup.aspx) to perform a reverse DNS lookup to identify the hostname of the Sending Server IP.
Sending server IP(X-Sender-IP):
209.85.221.47
Reverse DNS of Sender IP:
mail-wr1-f47.google.com
The next thing that we needed to retrieve was the URL that the 'Verify your account' button found in the e-mail leads to.
While I could have simply obtained the hyperlink by right-clicking the button, I did not want to risk opening the link, so I opened the email in Sublime Text Editor with hopes of identifying the link through the anchor tags (<a> </a>). However, we found that it was encoded in base64, so I used the Cyberchef tool to decode it.
Using Cyber chef to convert the html in the e-mail from base64 to plain text.
After successfully decoding the HTML, we were able to retrieve the following web artifacts:
Note well. To safely include the URLs in this report and to prevent you from clicking on the links by chance, I defanged (Google it...lol) the URLs.
URL(sanitized):
hxxps:[//]tkjj6dj57yhsryfb.maillist-manage[.]com/click.zc?m=66866578&mrd=tkjj6dj57yhsryfb&od=ywtCi6BTnNv7gufgKtdJAc5oBR4XzRAFPU4GHx2og9x&linkDgs=1d5b0af6afb81645&repDgs=1d5b0af6afb8181f
Root domain (sanitized):
hxxps:[//]maillist-manage[.]com
Analyzing the artifacts...is the e-mail malicious?
To determine how harmful or harmless the phishing e-mail various tools were used to analyze the artifacts that we had collected.
Firstly, the Reverse DNS of Sender IP (using MxToolBox) showed that the e-mail did not originate from an Apple server but rather a Gmail server. Also, this means that the sender spoofed his email address since the domain for his mailbox was 'tcfbakn[.]com' and not 'gmail.com'. Additionally, the recipient e-mail address and copied email address were purposely chosen as 'no_reply@email.apple.com' to make the recipient believe that it actually came from Apple.
Secondly, I used URLScan.io to capture a screenshot of the website without actually visiting it. However, the URLScan.io of the link in the button presented an error, “stating that it cannot be scanned,” and that the URL had been blacklisted.
Virus Total is a file and URL reputation tool that was used next to further investigate whether the link was to a malicious site. The URL search on Virus Total showed no threat associated with the “verify your account” button URL.
Not satisfied, I took it one step further and decided to conduct a Malware Analysis and Sandboxing with HybridAnalysis. The report returned showed that the Url was indeed malicious and making efforts to contact two other hosts. It was also identified as using the Query Registry Technique T1012 of the MITRE ATT&CK matrix.
Images below are from the Hybrid Analysis report of the URL.
Finally, I decided to conduct a URL2PNG scan of the root domain to see whether the entire website was malicious and created with malicious intent or if the domain was compromised. The URL2PNG scan of the root domain captured the screenshot of a legitimate website. On the homepage of the site it states that the site belongs to an active E-mail Marketing Service company and the root domain is used for e-mail campaigns sent out by their users.
Screenshot of URL2PNG scan of root domain below.
Defensive measures to be taken
Request an email gateway block for sender address,
'szv26tfa3z@tcfbakn.com'.
We cannot block the sending server because it is a Gmail server. This would prevent legitimate emails from reaching my inbox at a later date.
As we stated earlier, the root domain is legitimate and is used for email campaigns. Therefore requesting a web proxy root domain block would be a bit excessive since the website is not malicious in nature. On the home page it states that, “if you still have received spam,” write to the e-mail that they listed. So we will be doing this as well.
Lastly, we will request a web proxy root URL block for,
'hxxps:[//]tkjj6dj57yhsryfb.maillist-manage[.]com/click.zc?m=66866578&mrd=tkjj6dj57yhsryfb&od=ywtCi6BTnNv7gufgKtdJAc5oBR4XzRAFPU4GHx2og9x&linkDgs=1d5b0af6afb81645&repDgs=1d5b0af6afb8181f'.
This way we make sure that no one accesses the website even if they click on it by accident.
Lessons Learned
I believe this was a really good exercise. It reminds us of the danger of phishing e-mails and how malicious actors can easily take advantage of users to cripple a network. I was expecting the 'Verify Your Account' button to lead to an Apple Credential Harvester but it actually led to the download of malicious files instead which is just as bad in my opinion.
The next domain I will be covering in my prep toward the BTL 1 Certification is Threat Intelligence. I look forward to applying the knowledge gained in that domain to real world scenarios.
Oh Hey, before you go feel free to subscribe to my YT Channel below.